@doist/reactist MIT 12 versions

@doist/reactist

npm Repository Homepage

Open source React components by Doist

12

Versions

MIT

License

Yes

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

ricardoisthenningmujvalenteantondoistjefcurtisdoistbotfbidugoncalossilvaomar.doist.comitsevertvscottatdoisternestodoist

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-added	AI (maintainer-change): Named maintainers are known Doist org members; consistent with org-managed package published via GitHub Actions CI.	ai	2026/05/30
install-scripts	install-script:postinstall	AI (install-scripts): patch-package postinstall is a standard dependency-patching pattern; stable for this package.	ai	2026/05/21
phantom-deps	phantom-dep:patch-package	AI (phantom-deps): patch-package is invoked via postinstall script, not imported; phantom-dep is a false positive here.	ai	2026/05/21
phantom-deps	phantom-dep:react-markdown	AI (phantom-deps): react-markdown is a runtime dep used in components; phantom-dep heuristic misfires on this package.	ai	2026/05/21
bogus-package	bogus-package	AI (bogus-package): Established Doist OSS library; README signals are false positives for this well-known package.	ai	2026/05/21

Versions (showing 12 of 12)

Version	Deps	Published
31.3.0	8 / 74	2026-05-28
31.0.0	8 / 102	2026-05-18
30.1.4	8 / 105	2026-04-08
30.1.2	8 / 105	2026-04-03
30.1.1	8 / 105	2026-04-03
30.0.1	8 / 100	2026-01-27
29.1.2	8 / 99	2026-01-09
29.1.1	7 / 93	2025-12-01
29.1.0	7 / 93	2025-11-13
29.0.0	7 / 93	2025-11-04
28.7.4	8 / 91	2025-10-31
28.7.3	8 / 89	2025-10-31

v31.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v31.0.0

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: patch-package

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v30.1.2

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: patch-package

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v30.1.1

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: patch-package

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v30.0.1

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: patch-package

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v29.1.2

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: patch-package

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v29.1.1

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: patch-package

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v29.1.0

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: patch-package

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v29.0.0

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: patch-package

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v28.7.4

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: patch-package

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v28.7.3

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: patch-package

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.